In many situations it is desirable to protect memory content against unauthorised access. Encryption of data stored in a memory or other storage medium is a widely used method for achieving such a protection. There are a large variety of known encryption methods providing different degrees of protection against attacks by unauthorised users targeted at breaking the encryption and getting access to the data.
However, secure encryption algorithms such as those defined in the Advanced Encryption Standard (AES) may not meet latency requirements when used for protecting memory content of memory types such as DDR. In many applications latency constraints may impose the choice of less secure but very low-latency encryption schemes such as scrambling techniques that operate on byte level, i.e. replace each byte data by a scrambled byte based on a scrambling key.
Furthermore, even when memory content of a processing device is encrypted with a secure algorithm such as AES, the processing device may still be vulnerable to a number of possible attacks, in particular in the case of storage media whose contents may be written several times during execution. Examples of such attacks include statistical attacks, replay attacks, substitution attacks that can be replayed.
It is thus generally desirable to provide protection of data stored in a storage medium with a low degree of vulnerability to attacks such as statistical attacks.